sylvain.david@etranges-libellules.fr
2006-Jul-04 14:04 UTC
[Samba] samba 3.0.22 default ACL issue
Hi, I use samba 3.0.22 as PDC on Debian with workstations under windows XP SP1 and SP2. I use ACLs to have a fine grained access rules. When I copy a directory from a client to a samba share, default ACLs are forgiven. exemple : after I copy the directory A on the samba share : getfacl A/ # file: A/ # owner: user1 # group: sambausers user::rwx group::--- other::--- default:user::rwx default:group::--- default:other::--- But the parent directory has default ACLs, I can prove it : getfacl . # file: . # owner: user1 # group: sambausers user::rwx user:root:rwx user:bacula:r-x group::--- group:sambaguests:rwx group:User_Standard:rwx group:User_Lead:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:bacula:r-x default:group::--- default:group:sambaguests:rwx default:group:User_Standard:rwx default:group:User_Lead:rwx default:mask::rwx default:other::--- Is it a bug ? because default ACLs are applied if I copy files. So Why different behavior between directory and files ? I noticed that it happened only to local directories which belong to MYDOMAIN\user. If the owner of the local directory is LOCALCOMPUTER\user the default ACLs is applied correctly. But once again, it concerns only directory. When the file belong to MYDOMAIN\user ACLs are applied correctly. All what I want is that default ACLs are applied all the time whatever the owner of local directory. I try to play with "directory security mask", "force directory security mode", inherit permissions without success. Thank you for your help, I really don't know what to do. My smb.conf looks like that : # ----------------------------------------------------------------------------- # Global parameters # ----------------------------------------------------------------------------- [global] dos charset = 850 unix charset = ISO8859-1 workgroup = elb-lyon netbios name = server02 server string = server02.elb-lyon os level = 65 domain logons = Yes domain master = Yes local master = Yes preferred master = Yes wins support = Yes obey pam restrictions = Yes passdb backend = tdbsam, guest passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* passwd chat debug = Yes pam password change = Yes unix password sync = Yes syslog = 0 log level = 2 # log level max = 10 log file = /var/log/samba/log.%m max log size = 25600 dns proxy = No panic action = /usr/share/samba/panic-action %d invalid users = root2 # param?tres samba utilisateur par defaut logon drive = P: logon home = \\server02\%U logon path = \\server02\profiles\%U logon script = %U.cmd # gestion des comptes posix automatique :) # Gestion des comptes POSIX add machine script = /usr/sbin/useradd -g sambamachines -c Machine -d /dev/null -s /bin/false '%u' add user script = /usr/sbin/useradd -g sambausers -c Utilisateur -d /dev/null -s /bin/false '%u' add group script = /usr/sbin/groupadd '%g' add user to group script = /usr/bin/gpasswd -a '%u' '%g' delete user script = /usr/sbin/userdel -r '%u' delete group script = /usr/sbin/groupdel '%g' delete user from group script = /usr/bin/gpasswd -d '%u' '%g' set primary group script = /usr/sbin/usermod -g '%g' '%u' veto files = /lost+found/ .recycle/ aquota.user/ aquota.group/ guest account = guest hosts allow = 192.168.0. 127. # ----------------------------------------------------------------------------- # Necessaire Domaine # ----------------------------------------------------------------------------- [homes] path = /mnt/SAN01/vd3_home2/home2/%u comment = Home Directories valid users = %S guest ok = No writable = Yes create mask = 0700 directory mask = 0700 browseable = No [netlogon] path = /mnt/SAN01/vd3_home2/netlogon comment = Partage NetLogon valid users = @sambausers @sambaguests root guest ok = No read only = Yes browseable = No [profiles] path = /mnt/SAN01/vd3_home2/profiles comment = Profils utilisateurs valid users = @sambausers @sambaguests root guest ok = No writable = Yes create mode = 0700 browseable = No # ----------------------------------------------------------------------------- # Partages # ----------------------------------------------------------------------------- [vd1_echange] comment = Zone d'echange. path = /mnt/SAN01/vd1_echange valid users = root @sambaadmins @sambaguests @User_Standard guest ok = No writable = Yes create mask = 0770 directory mask = 0770 browseable = yes # inherit permissions = yes inherit acls = yes hide unreadable = Yes # directory security mask = 0000 # force directory security mode = 0777 -- Sylvain DAVID / administrateur r?seau adr : Etranges Libellules .~. 17 Rue des Archers /v\ 69002 LYON /(?)\ tel : 04 72 40 24 72 ^^-^^ fax : 04 72 40 27 19 www.etranges-libellules.fr --
sylvain.david@etranges-libellules.fr
2006-Jul-12 15:12 UTC
[Samba] samba 3.0.22 default ACL issue
Hi, I sent an email on the mailing list of bestsbits (http://acl.bestbits.at/pipermail/acl-devel/2006-July/001980.html) because if nobody answer on this mailing list , it's probably directly linked to ACLs? But, I really don't know if the problem is only with bestsbits or only with samba because I can reproduce the bug only in samba, not in console. So this bug seems to be linked to samba ? Am I the only one who would like to use ACLs ? Are there any other solution to have a fine grained access rules which works with samba? (like trustees) because if default ACLs don't works, I think using ACLs is a no sense. For the while - hopping sometime this bug will be fix - I use a dirty script run by cron which check & fix ACLs. I know it's dirty... but I have I any other choice ? I give up with this mistery. I'm too tired. sylvain.david@etranges-libellules.fr a ?crit :> Hi, > > I use samba 3.0.22 as PDC on Debian with workstations under windows XP > SP1 and SP2. > I use ACLs to have a fine grained access rules. > > When I copy a directory from a client to a samba share, default ACLs > are forgiven. > exemple : after I copy the directory A on the samba share : > getfacl A/ > # file: A/ > # owner: user1 > # group: sambausers > user::rwx > group::--- > other::--- > default:user::rwx > default:group::--- > default:other::--- > > But the parent directory has default ACLs, I can prove it : > getfacl . > # file: . > # owner: user1 > # group: sambausers > user::rwx > user:root:rwx > user:bacula:r-x > group::--- > group:sambaguests:rwx > group:User_Standard:rwx > group:User_Lead:rwx > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:bacula:r-x > default:group::--- > default:group:sambaguests:rwx > default:group:User_Standard:rwx > default:group:User_Lead:rwx > default:mask::rwx > default:other::--- > > Is it a bug ? because default ACLs are applied if I copy files. So Why > different behavior between directory and files ? > I noticed that it happened only to local directories which belong to > MYDOMAIN\user. If the owner of the local directory is > LOCALCOMPUTER\user the default ACLs is applied correctly. But once > again, it concerns only directory. When the file belong to > MYDOMAIN\user ACLs are applied correctly. > > All what I want is that default ACLs are applied all the time whatever > the owner of local directory. > > I try to play with "directory security mask", "force directory > security mode", inherit permissions without success. > Thank you for your help, I really don't know what to do. > > My smb.conf looks like that : > > # > ----------------------------------------------------------------------------- > > # Global parameters > # > ----------------------------------------------------------------------------- > > [global] > dos charset = 850 > unix charset = ISO8859-1 > workgroup = elb-lyon > netbios name = server02 > server string = server02.elb-lyon > os level = 65 > domain logons = Yes > domain master = Yes > local master = Yes > preferred master = Yes > wins support = Yes > > obey pam restrictions = Yes > passdb backend = tdbsam, guest > passwd program = /usr/bin/passwd %u > passwd chat = *New*UNIX*password* %n\n > *ReType*new*UNIX*password* %n\n > *passwd:*all*authentication*tokens*updated*successfully* > passwd chat debug = Yes > pam password change = Yes > unix password sync = Yes > > syslog = 0 > log level = 2 > # log level max = 10 > log file = /var/log/samba/log.%m > max log size = 25600 > dns proxy = No > panic action = /usr/share/samba/panic-action %d > invalid users = root2 > > # param?tres samba utilisateur par defaut > logon drive = P: > logon home = \\server02\%U > logon path = \\server02\profiles\%U > logon script = %U.cmd > > # gestion des comptes posix automatique :) > # Gestion des comptes POSIX > add machine script = /usr/sbin/useradd -g sambamachines -c > Machine -d /dev/null -s /bin/false '%u' > add user script = /usr/sbin/useradd -g sambausers -c > Utilisateur -d /dev/null -s /bin/false '%u' > add group script = /usr/sbin/groupadd '%g' > add user to group script = /usr/bin/gpasswd -a '%u' '%g' > delete user script = /usr/sbin/userdel -r '%u' > delete group script = /usr/sbin/groupdel '%g' > delete user from group script = /usr/bin/gpasswd -d '%u' '%g' > set primary group script = /usr/sbin/usermod -g '%g' '%u' > > veto files = /lost+found/ .recycle/ aquota.user/ aquota.group/ > > guest account = guest > > hosts allow = 192.168.0. 127. > > # > ----------------------------------------------------------------------------- > > # Necessaire Domaine > # > ----------------------------------------------------------------------------- > > [homes] > path = /mnt/SAN01/vd3_home2/home2/%u > comment = Home Directories > valid users = %S > guest ok = No > writable = Yes > create mask = 0700 > directory mask = 0700 > browseable = No > > [netlogon] > path = /mnt/SAN01/vd3_home2/netlogon > comment = Partage NetLogon > valid users = @sambausers @sambaguests root > guest ok = No > read only = Yes > browseable = No > > [profiles] > path = /mnt/SAN01/vd3_home2/profiles > comment = Profils utilisateurs > valid users = @sambausers @sambaguests root > guest ok = No > writable = Yes > create mode = 0700 > browseable = No > > # > ----------------------------------------------------------------------------- > > # Partages > # > ----------------------------------------------------------------------------- > > [vd1_echange] > comment = Zone d'echange. > path = /mnt/SAN01/vd1_echange > valid users = root @sambaadmins @sambaguests @User_Standard > guest ok = No > writable = Yes > create mask = 0770 > directory mask = 0770 > browseable = yes > # inherit permissions = yes > inherit acls = yes > hide unreadable = Yes > # directory security mask = 0000 > # force directory security mode = 0777 > > >-- Sylvain DAVID / administrateur r?seau adr : Etranges Libellules .~. 17 Rue des Archers /v\ 69002 LYON /(?)\ tel : 04 72 40 24 72 ^^-^^ fax : 04 72 40 27 19 www.etranges-libellules.fr --
Apparently Analagous Threads
- sometimes, roaming profile is not found
- Samba PDC + ACL : default ACLs ignored on directory
- [LLVMdev] Compile-rt throw error undeclared identifier 'O_CLOEXEC'
- [LLVMdev] Compile-rt throw error undeclared identifier 'O_CLOEXEC'
- Samba mounted home shares will break many applications